Rajesh,
I was waiting for this one since I forgot to include it in my original
email. I have a *,*,* (vlan, subnet, os) userpage that catches the
overflow from the other OS specific userpages.
-Tim
Tim Kelley
ResNet Coordinator
California State University, Chico
m. 530.230.7400
o. 530.898.5148
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Rajesh Nair (rajnair)
Sent: Thursday, August 10, 2006 10:57 AM
To: [log in to unmask]
Subject: Re: No filter but still no web login
Also, is the login page for all VLANs/subnets or only for the test VLAN?
-Rajesh.
________________________________
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Dennis Xu
Sent: Thursday, August 10, 2006 10:39 AM
To: [log in to unmask]
Subject: Re: No filter but still no web login
Can other users get IP correctly?
Once I have seen one specific user could not being directed to web login
page because he got the same IP as CAS IP in management subnet. Make
sure to exclude CAS IP in management subnet from central DHCP range.
------------
Dennis Xu
Network Analyst (CCS)
University of Guelph
519-824-4120 x 56217
[log in to unmask]
________________________________
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Kelley, Tim
Sent: Thursday, August 10, 2006 1:22 PM
To: [log in to unmask]
Subject: No filter but still no web login
Hi All,
I have been banging my head against the wall for the past three days
with this problem so I thought I would submit it to the group.
The Setup:
IB, Real IP, Failover CAS & CAM bundles
Briefly, here are the symptoms:
No users except on one VLAN (the test VLAN in my office) are being
redirected to the login page on requesting a url. It works as expected
on my test VLAN.
Here is what I have done to test it:
1) Verified that there are no subnet filters on both the CAS and
CAM
2) Verified that there are no device filters on the CAS or CAM
3) Checked the 'Unauthenticated' role filter and see that there is
allow access to the following (untrusted -> trusted):
a. UDP & TCP untrusted = *:* trusted = 132.241.66.8
/255.255.255.255 :* (our vpn server)
b. TCP untrusted = *:* trusted = 132.241.82.62 /255.255.255.255
:80 (our resnet web server)
c. UDP DNS
d. Otherwise, block all
4) Allowed hosts are the stock setup
5) Bandwidth management not enabled.
6) My test devices are not on the 'Certified Devices' list.
7) I added a 'deny' filter for my test device's MAC and I verified
that I was not able to access the Internet (to test to see if there was
a layer 3 bypass to the CAS).
And then I started "poking it with a stick" because I was out of ideas:
8) I verified that I was being issued an IP in a range appropriate
to the managed subnet.
9) I deleted the managed subnet from the CAS and verified that I
could not access the internet.
10) I checked /proc/click/intern_validation_table on the CAS for 00
MACs as per Kyle Evans on the ListServ:
"We are running IB VGW, and we had a similar problem one time. I don't
know what caused it exactly, but I suspect it had to do with managed
subnets not being created properly. Anyway, cd to
/proc/click/intern_validation_table on the CAS. Then do "cat table".
We found that if any IP addresses in that table had mac addresses of all
0s, then whomever had that IP address could use the network unfettered."
No 00:00... macs
I am out of ideas. I would love some help.
-Tim
Tim Kelley
ResNet Coordinator
California State University, Chico
m. 530.230.7400
o. 530.898.5148
|
